Cross Posted from Trading Secrets
With all the high-profile breaches that seem to be in the news lately, there is a plethora of “guidance” on cybersecurity. The Attorney General of California has decided to add to this library of guidance with her “Cybersecurity in the Golden State” offering. Cybersecurity is a pretty mature knowledge domain, so I am not quite sure why General Harris has determined that there needs to be additional guidance put in place. However, it is a good reminder of the things that regulators will look for when assessing whether or not “reasonable security” was implemented in the aftermath of a breach. And while there isn’t anything new in the guidance, what is informative is what is not there.
General Harris’ guidance does a good job of turning an oftimes technical topic into something most small to medium business owners can understand. Considering the vector for attacking large companies is the smaller vendor of the big company, this is a quite laudable goal (think Target’s HVAC vendor).
The elevation of the “first principles” of 1) Assume You are a Target, 2) Lead by Example (for the CEO), 3) Map Your Data, 4) Encrypt Your Data, 5) Bank Securely, 6) Defend Yourself, 7) Educate Employees, 8) Be Password Wise, 9) Operate Securely, and 10) Plan for the Worst are all good foundations to work from. Unfortunately, these principles are a floor, and a somewhat incomplete floor at that.
Risk Based Security
The most glaring “first principle” that seems to be missing from General Harris’ guidance is “Understand Your Risk”. While concepts of risk-assessment methodology are sprinkled throughout the document’s text, this foundational principle isn’t really called out. Applying “reasonable security” must start with an understanding of what is reasonable. While the data mapping exercise recommended by General Harris is a good start, merely knowing where your data is doesn’t actually describe the complete risk profile. What kind of data is present? Where did it come from? How is it used? Where does it go (vendors, or end-of-life)? These are all things that are critical in determining which of the security measures you deploy.
All of the other cybersecurity models start with a risk analysis. NIST and the FISMA frameworks are all risk based. So is the FFIEC’s guidance for the financial industry. This is a foundational element that needs to be called out as a “first principle” in and of itself.
In the highly networked environment which is the modern age of service delivery, no business is an island. General Harris’ guidance seems to be mostly internally focused – what can the business do to protect itself. As we have seen with the Target hack, one of the additional foundational principles of good cybersecurity is understanding where one sits within the larger ecosystem. The HVAC vendor needs to understand that they have a duty to those clients upstream, but also that they have a risk from *their* vendors downstream. This is also part of the risk-based security approach described above. You can’t just look to your own systems, you have to look at the systems in both directions of the supply-chain.
All in all, General Harris’ guidance is a good start, but it is missing two highly-critical principles which a number of other cybersecurity frameworks rely on for their foundation. These principles of risk-based security, and a holistic point of view are going to be critical for anyone who wants to avoid having the General look closely at their cybersecurity program because of a breach which effects Californians.